Software Engineering Institute

ICQ is a program for communicating with other users over the Internet. ICQ is widely used (by over 122 million people according to ICQ Inc, an AOL Time Warner owned subsidiary). A buffer overflow exists in the ICQ client for Windows. The buffer overflow occurs during the processing of a Voice Video & Games feature request message. This message is supposed to be a request from another ICQ user inviting the victim to participate interactively with a third-party application. In versions prior to 2001B, the buffer overflow occurs in code within the ICQ client. In version 2001B the code containing the buffer overflow was moved to an external plug-in.

Therefore, all versions prior to the latest build of 2001B are vulnerable. Upon connection to an AOL ICQ server, vulnerable builds of the 2001B client will be instructed by the server to disable the vulnerable plug-in. Since versions of the ICQ client prior to 2001B do not have an external plug-in to disable, they are vulnerable even after connecting to the server. AOL Time Warner is recommending all users of vulnerable versions of ICQ upgrade to 2001B Beta v5.18 Build #3659.

During normal operation, ICQ clients can exchange messages with one another through the ICQ servers or via a direct connection. The buffer overflow specifically occurs during the processing of the Voice Video & Games request via a Type, Length, Value (TLV) tuple with type 0x2711 from the ICQ server, or via a crafted direct connection request.

The ICQ client opens port 4000/udp for client-server communication. As with the previously reported AIM vulnerability, AOL has modified the ICQ server infrastructure to filter malicious messages that attempt to exploit this vulnerability, preventing it from being exploited through an AOL ICQ server. Exploiting the vulnerability through other means (man-in-the-middle attacks, third-party ICQ servers, DNS spoofing, network sniffing, etc.) may still be possible. Also, since udp packets can be broadcast on a network, a malicious TLV packet with a spoofed source IP address may be accepted as a legitimate server message.

The ICQ client also listens on a variably assigned tcp port for direct connection requests. A person who wishes to establish a direct connection can query an ICQ server for the IP address and listening port of the victim. Versions 2000A and prior accept direct connections from anyone by default. Later versions of ICQ can be configured to accept direct connections from anyone. Since ICQ requests can be sent directly from one client to another, blocking requests through a central server is not a completely effective solution.

Exploitation of the buffer overflow may allow a remote attacker to execute arbitrary code on the victim's system.

There is currently no patch available for the ICQ plug-in for 2001B or versions of the ICQ client prior to 2001B. All users should upgrade to version 2001B Beta v5.18 Build #3659, whose installer will delete the vulnerable plug-in. In addition access to the vulnerable plug-in will be disabled for users with versions of 2001B prior to Beta v5.18 Build #3659 who login to the server.

Block ICQ/SMS requests at the firewall

Blocking connections to login.icq.com and access to ports 4000/UDP, 5190/TCP and the TCP port that your client chooses to listen on may prevent exploitation of this vulnerability. Note that the client may establish a new listening port each time it is run. Note also that this does not protect you from attacks within the perimeter of your firewall.

Block untrusted messages

ICQ permits the user to deny direct connections from anyone without authorization or accept direct connections from known peers only. We recommend denying direct connections from anyone without authorization. By accepting direct connections from known peers, you may still be vulnerable to attacks that originate from known peers if the peer is compromised.